Greetings, I think your best bet is to run at least the minimal SL (actually RedHat) firewall via iptables. To protect your self against brute force attacks, I use ossec (http://www.ossec.net/). It is very good product and works by analyzing log files so that it can not compromised via a network attack. Hope this helps, doug > > Eduardo Bach wrote: > > Hello Troy, > > > > Sorry, the last answer was a draft sent in error. Now is correct. > > > > Thank you for responding so promptly. Here are below the answers to your > > questions: > > > > Troy Dawson escreveu: > > > >> Eduardo Bach wrote: > >> > >>> Hello to all, > >>> > >>> One of our servers was invaded. We just started the investigations, > >>> but the main clue, plus some strange files copied and deleted, is > >>> that sshd binary has changed. Its original size was ~313KB and moved > >>> to 1.18Mb. His version was 3.9p1-11.e4_7. As we at the beginning of > >>> investigations, I wonder if anyone had similar problem, or have any > >>> clue on how the intruder may have entered? > >>> Thanks in advance. > >>> > >>> Eduardo Bach > >>> > >> Hi, > >> I'm not the best investigator of breakin's, so I am probubly not going > >> to have an answer, but with the information you gave us, it could be > >> anything. It could be someone got a password from somewhere, to > >> apache running as root. > >> > >> So here is a couple of questions that might help get started. > >> > >> What version of linux was it running? If not linux, what OS was it > >> running? > >> > > > > Scientific Linux 4.6. > > > > > >> What services did it have? Was it a web server, a database server, a > >> desktop? > >> > >> How many users had access to the machine? Was it a server with only > >> one user, or a general login machine? > >> > >> How could people login? ssh only? telnet? rsh? > >> > >> Did your average person have physical access to the machine? > >> > > > > This server had only one service: sshd, and had no firewall. This was a > > general machine machine login to just a few users (<20). When I wrote my > > first email, suspected of a bug in ssh, but looking on the internet I > > did not find any report to this version. Now I am thinking the > > possibility that the hacker found the password of one of the users with > > brute force, and explored some bug from there, inside of the system. > > Finding that bug was exploited after the acquisition of the password is > > not as important to me now, but make sure was this that he/she was able > > to enter. > > > > > >> Answers to those questions help track things down. > >> Another thing most people do is take a snapshot of the disk, so your > >> investigation doesn't mess up the evidence. > >> Troy > >> > > A backup server is stand up, so we have time we need to identify what > > happened. > > Thanks again for your help. > > > > Eduardo Bach > > > > > > > > It's also a good idea to change the ssh port to something other than the > default; this will stop the "ssh-brute-force-crack" that has been > plaguing the internet for as long as I can remember. > See http://openssh.org/manual.html for specific instructions. > > Regards, > > Bruce Prewit > ---------------------------------------------------------------------------- Doug Johnson email: [log in to unmask] B390, Duane Physics (303)-492-4506 Office Boulder, CO 80309 (303)-492-5119 FAX http://www.aaccchildren.org I talk to the wind, my words are all carried away I talk to the wind, the wind does hear, the wind cannot hear. ----------------------------------------------------------------------------